Information Disclosure

other MEDIUM

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.

How It Works

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.

Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.

The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.

Impact

  • Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
  • Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
  • Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
  • Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
  • Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures

Real-World Examples

A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.

Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.

Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.

Mitigation

  • Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
  • Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
  • Access control audits: Restrict or remove development artifacts (.git, backup files, phpinfo()) and internal endpoints before deployment
  • Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
  • Security headers: Deploy X-Content-Type-Options, remove server version banners, and disable directory indexing
  • Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity

Recent CVEs (12829)

CVE-2025-34764
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34763
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34762
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34761
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34760
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34759
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34758
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34757
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34756
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34755
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34754
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34753
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34752
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34751
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34750
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34749
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34748
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34747
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34746
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34745
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34744
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34743
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34742
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34741
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34740
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34739
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34738
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34737
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34736
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34735
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34734
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34733
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34731
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34730
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34729
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34728
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34727
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34726
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34725
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34724
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34723
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34721
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34720
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34719
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34718
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34716
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34715
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34714
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34713
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34711
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34710
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34709
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34708
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34707
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34706
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34705
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34703
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34702
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34701
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34700
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34699
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34698
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34697
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34696
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34695
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34694
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34693
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34692
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34689
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34688
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34687
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34686
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34685
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34684
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34683
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34681
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34680
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34679
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34678
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34677
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34676
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34675
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34674
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34673
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34672
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34671
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34670
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34669
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34666
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
CVE-2025-34665
Awaiting Data

Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.

Information Disclosure
NVD
Prev Page 36 of 143 Next

Quick Facts

Typical Severity
MEDIUM
Category
other
Total CVEs
12829

Related CWEs

MITRE ATT&CK

References

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy